Storing the password in plain-text
in the database/file is not the correct way; the attacker can easily recover if
he has access to the password resources.
Hashes are one-way functions that
generate a representation, usually a number, of the data put in to them. If the
hackers aware about the hashing function which you have used then they can find
the actual password. Salting passwords address that problem.
Example for hashing is converting all the characters in the
string to their numeric values, and exclusive-or the binary representation of
Salt is random data that are used
as an additional input to a one-way function that hashes a password or
passphrase. A new salt is randomly generated for each password.
Different mechanism can use for the salt key.
Always use a fixed salt string
Use a random piece of data for each password
Salt on meta-data – Person’s birth-day can be
used for this scenario. You can see the bank statement opening the PDF file
this kind of mechanism implemented.
What salt is doing is, effectively increase the amount of
effort needed to break the password.
How to implement
Generate a random salt value
Concatenate the password and the salt
Hash the concatenated result (password + salt)
Store the hash and the salt (in db or file).
Implement password verification.